You’re not getting popped by a zero-day. You’re getting popped by a button. ✅ “Allow access” ✅ “Approve device” ✅ “Run this repo.” 😑
The ugly trend in recent writeups: attackers are weaponizing legitimate auth and OAuth flows (redirection tricks, device-code phishing, even app-specific passwords) because it looks like normal business until your SaaS logs start sweating.
So we ranked the 3 crews best positioned to abuse MCP-style tool/integration approvals fast:
UNC3944: help desk + identity workflows (big SaaS enterprises)
TraderTraitor (UNC4899 / Slow Pisces): dev endpoints → keys → cloud control planes
UNC6293: long-lived mailbox/docs access via legit auth features
Quick gut-check: Who in your org can grant a high-scope connector… without anyone else noticing? 👀
Read / subscribe: https://blog.alphahunt.io/deep-research-whos-most-likely-to-abuse-mcp-integrations-unc3944-tradertraitor-unc6293
#AlphaHunt #OAuth #IdentitySecurity #DevSecOps #ZeroTrust